fix(bedrock-agentcore-alpha): add tracing resource policy opt-out#37984
fix(bedrock-agentcore-alpha): add tracing resource policy opt-out#37984gingeekrishna wants to merge 4 commits into
Conversation
gingeekrishna
had a problem deploying
to
automation
GitHub Actions
Failure
github-actions
Bot
added
p2
beginning-contributor
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
✅ A exemption request has been requested. Please wait for a maintainer's review.
There was a problem hiding this comment.
Pull request overview
Adds a public opt-out for auto-creating the per-stack X-Ray AWS::XRay::ResourcePolicy when Runtime tracing is enabled, addressing multi-stack quota exhaustion scenarios while keeping the default behavior unchanged.
Changes:
- Introduced
tracingResourcePolicyonRuntimePropswithTracingResourcePolicyMode(AUTOdefault,NONEopt-out). - Threaded a “create resource policy” flag into tracing delivery setup and made policy creation conditional.
- Extended unit tests to assert default policy creation and verify opt-out mode still synthesizes tracing delivery resources without the policy.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts | Adds assertions for default X-Ray policy creation and a new test covering policy opt-out mode. |
| packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/runtime/runtime.ts | Adds the new TracingResourcePolicyMode / config types and wires the new prop into runtime tracing setup. |
| packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/runtime/observability.ts | Makes X-Ray resource policy creation optional while preserving tracing delivery resource synthesis. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Exemption Request |
aws-cdk-automation
added
the
pr-linter/exemption-requested
|
Clarification Request |
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
added
the
pr/reviewer-clarification-requested
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
|
Update: opened upstream tracking issue for the workflow dependency fix: https://github.com/aws-github-ops/aws-issue-triage-manager/issues/42\n\nThis tracks replacing deprecated set-output usage with GITHUB_OUTPUT in aws-issue-triage-manager. |
|
Clarification Request\nThe single failing check is from Set Issue Label and Assignee (pr-triage-manager path).\nFor a temporary unblock of contributor PRs, maintainers could either re-run/override this automation check, or apply a small workflow mitigation to avoid failing the full PR gate when this external dependency job errors.\nUpstream tracking issue for permanent fix: aws-github-ops/aws-issue-triage-manager#42 |
gingeekrishna
changed the title
|
Applied temporary workflow mitigation: added continue-on-error to pr-triage-manager job in issue-label-assign.yml.\n\nThis allows the PR to proceed even if the external triage action fails due to deprecated set-output usage, while upstream fix (aws-github-ops/aws-issue-triage-manager#42) is being addressed.\n\nThe triage automation will still run and attempt to label/assign, but failures won't block merge. |
gingeekrishna
force-pushed
the
fix/37962-short-description
branch
from
3b46f37 to
24a7932
Compare
gingeekrishna
force-pushed
the
fix/37962-short-description
branch
from
24a7932 to
3d3c0af
Compare
…licy opt-out Adds integration test covering the NONE mode for TracingResourcePolicyMode, verifying tracing delivery resources are created without the X-Ray resource policy. Snapshot to be generated once full build pipeline is available.
gingeekrishna
force-pushed
the
fix/37962-short-description
branch
from
3d3c0af to
c5133c0
Compare
…from tracing AWS automatically manages the required XRay resource policy when the deploying identity has xray:PutResourcePolicy and xray:ListResourcePolicies permissions, making the explicit per-stack AWS::XRay::ResourcePolicy redundant. Both the L2's explicit policy and the AWS auto-managed policy require the same xray:PutResourcePolicy prerequisite, so there is no scenario where the L2's policy enables trace delivery that AWS's auto-managed policy would not also enable. Removes: - TracingResourcePolicyMode class and TracingResourcePolicyConfig interface - tracingResourcePolicy prop from RuntimeProps - XRayResourcePolicy internal class from observability.ts - TracingDeliveryConfig interface - Integ test for the now-removed opt-out feature Fixes aws#37962
|
Thank you for the detailed analysis @kevin-riste! The empirical evidence and AWS documentation quote make the case conclusively. I've updated the implementation based on your revised proposal. Instead of the opt-out prop, the per-stack Changes in the latest commit (
The |
… runtime (#37962)
Issue # (if applicable)
Closes #37962.
Reason for this change
When [Runtime] is created with [tracingEnabled: true], the construct currently auto-creates an [AWS::XRay::ResourcePolicy] singleton per stack. In multi-stack deployments, this can exhaust the regional/account quota for X-Ray resource policies, causing deployment failures (ServiceLimitExceeded) even when users would prefer to manage a single shared policy externally.
Description of changes
Added an opt-out mechanism for tracing policy auto-creation in @aws-cdk/aws-bedrock-agentcore-alpha runtime observability flow.
Key changes:
Introduced a new runtime configuration model:
[TracingResourcePolicyMode.AUTO] (default): preserves existing behavior
[TracingResourcePolicyMode.NONE]: skips auto-creation of [AWS::XRay::ResourcePolicy]
Added [tracingResourcePolicy?: TracingResourcePolicyConfig] to [RuntimeProps].
Updated runtime construction path to pass policy-creation intent into tracing delivery setup.
Updated tracing delivery internals to conditionally create and wire the X-Ray resource policy, while still creating tracing delivery source/destination/delivery resources.
Why this addresses the issue:
It keeps current behavior unchanged for existing users (backward compatibility).
It enables multi-stack users to rely on a centrally managed/shared X-Ray resource policy and avoid quota exhaustion from per-stack policy creation.
Alternatives considered:
Keeping only AUTO behavior and requiring users to remove policies via Aspects.
Rejected because it relies on internal construct-tree manipulation and is not a stable public API experience.
Adding a more complex SHARED import model now.
Deferred to keep this fix minimal and production-safe; AUTO/NONE solves the immediate quota blocker.
Describe any new or updated permissions being added
No new IAM permissions were introduced.
No existing IAM action scope was expanded.
The change only controls whether the X-Ray resource policy resource is synthesized.
Description of how you validated changes
Validation performed:
Updated unit tests in runtime observability coverage to confirm:
Default mode ([AUTO] still synthesizes one [AWS::XRay::ResourcePolicy].
Opt-out mode ([NONE] synthesizes tracing delivery resources but does not synthesize [AWS::XRay::ResourcePolicy].
Confirmed edited TypeScript files report no language-service errors.
Environment note:
Full package/repo test wrapper execution ([cdk-test] / some Nx-Lerna paths) was blocked in this local Windows setup due to missing generated build-tool entrypoints and yarn PATH behavior for subprocesses. The functional regression coverage was validated via updated assertions in the affected unit test suite.
Checklist